On Tuesday, Rep. Zoe Lofgren (D-CA) took to the pages of reddit to introduce legislation she dubbed "Aaron's Law." Lofgren's bill would modify the Computer Fraud and Abuse Act, the basis for Swartz's prosecution, to clarify that its definition of unauthorized access "does not include access in violation of an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer." It would make a similar change to the wire fraud statute.

The language was praised by Harvard law professor Lawrence Lessig, a friend of Swartz whose wife organized his legal defense fund. "This is a CRITICALLY important change that would do incredible good," Lessig wrote on reddit. "The CFAA was the hook for the government's bullying of @aaronsw. This law would remove that hook."

But other observers expressed doubts that Lofgren's proposal would have ruled out Swartz's prosecution. While Swartz's violation of JSTOR's terms of use was one factor mentioned in the federal indictment against him, the government also mentioned that he switched IP addresses, spoofed his MAC address, and entered an MIT network closet. Conceivably, those actions could be construed as sufficient to establish "unauthorized access" even with Lofgren's bill on the books.

"The current language would have narrowed Aaron's indictment, so possibly would have reduced sentence," tweeted University of Virginia law professor Chris Sprigman. But he conceded that Swartz would likely be "still indictable" under Lofgren's proposal. Sprigman argued that "if it attracts GOP co-sponsors and gets a hearing, there will be plenty of opportunity to amend."

Marcia Hoffman, an attorney at the Electronic Frontier Foundation, agreed. "It’s a great first step," she told Forbes. "But if it’s trying to make sure what happened to Aaron can’t happen to someone else, it needs to do more."

Investigating Carmen Ortiz

Meanwhile, Rep. Darrell Issa (R-CA) has told the Huffington Post that he is investigating the actions of the US Attorney’s Office in Massachusetts, led by Carmen Ortiz.

"I’m not condoning [Swartz's] hacking, but he’s certainly someone who worked very hard,” Issa said. “Had he been a journalist and taken that same material that he gained from MIT, he would have been praised for it. It would have been like the Pentagon Papers."

Swartz faced a theoretical maximum sentence of 35 years in prison. Issa told the Huffington Post that the sentence "does seem like it was an awful lot. I’ll make a risky statement here: Overprosecution is a tool often used to get people to plead guilty rather than risk sentencing."

Ortiz's tactics were also savaged by Rep. Jared Polis (D-CO). “The charges were ridiculous and trumped-up,” he told The Hill. “It's absurd that he was made a scapegoat. I would hope that this doesn't happen to anyone else.” Polis labeled Swartz a "martyr."

Issa chairs the House Committee on Oversight and Government Reform. Lofgren, Issa, and Polis are all members of the House Judiciary Committee, which oversees the Justice Department.

They were also three of the most prominent opponents of the Stop Online Piracy Act. Swartz and the organization he founded, Demand Progress, helped to organize the grassroots opposition to the legislation. We interviewed Lofgren at CES last week.

The Obama administration is also facing grassroots pressure to fire Ortiz. A petition asking for Ortiz's removal has attracted more than 35,000 signatures, easily clearing the 25,000 signatures needed for an official response from the White House.

A mechanism whereby the prosecution has to declare damages/sentence they are seeking prior to trial, and then if the Judge awards/pronounces a lower amount the decision is reverted to no contest; would be a welcome addition I think.

Then we might see plaintiffs seeking REALISTIC damages. This could also be hilariously useful in patent law.

“Had he been a journalist and taken that same material that he gained from MIT, he would have been praised for it. It would have been like the Pentagon Papers.”

Would a journalist be praised for redistributing millions of in-copyright academic papers? Probably not.

While I really think the prosecution was overzealous and the charges undeserved—and while network closet hacking isn't exactly something I'd endorse or let slide—I think this Congressman has no idea what he's talking about.

Violating a EULA should at worst be a civil matter.... I wasn't even aware that you could be prosecuted for it...

It usually IS just a civil matter. This is why ALL copyright infringement cases have been heard in CIVIL court not criminal court. It only becomes a criminal matter when you turn a profit from it because you have moved from simple copyright violation to piracy. Aaron was being charged with gaining unauthorized access (hacking) by the federal court NOT copyright infringement. Hacking into a computer system or network is a federal crime which comes with potentially hefty federal prison time as Arron quickly learned.

Aaron was facing federal charges for gaining unauthorized access (Hacking) NOT copyright infringement. The feds don't give a shit about copyright infringement. They DO however care when you hack (gain unauthorized access) computers and networks. Why are people deliberately misrepresenting why he was arrested?

It is from my understanding of the CFAA, as a third year law student with a concentration in business and technology law, that the violation of the EULA in of itself is not actionable. What the violation evidences is exceeding "authorized use," which is the crux of the CFAA. Regardless of whether a bill is passed to make an exclusion or limitation to the definition of "authorized use" a breach of the EULA will still indicate a person has exceeded the rights to us bestowed upon him or the general public.

With that said, the CFAA is still being abused (remember the Ivy league students who used 'hole' in university websites to check their admission status?) and wielded with the same maliciousness and ignorance that nearly destroyed Stephen Jackson Games.

Violating a EULA should at worst be a civil matter.... I wasn't even aware that you could be prosecuted for it...

It IS just a civil matter. This is why ALL copyright infringement cases have been heard in CIVIL court not criminal court. It only becomes a criminal matter when you turn a profit from it because you have moved from simple copyright violation to piracy. Aaron was being charged with gaining unauthorized access (hacking) by the federal court NOT copyright infringement. Hacking into a computer system or network is a federal crime which comes with potentially hefty federal prison time as Arron quickly learned.

There is no "profit" requirement for your copyright infringement to be prosecuted criminally. There is a value requirement - that is, if the copyrighted material you illegally obtain can be valued at $5,000 or more, then you are civilly and criminally liable.

“Had he been a journalist and taken that same material that he gained from MIT, he would have been praised for it. It would have been like the Pentagon Papers.”

Would a journalist be praised for redistributing millions of in-copyright academic papers? Probably not.

While I really think the prosecution was overzealous and the charges undeserved—and while network closet hacking isn't exactly something I'd endorse or let slide—I think this Congressman has no idea what he's talking about.

No he was facing federal charges for hacking MIT's system NOT copyright infringement. If he were a journalist he would STILL be facing the same charges because hacking ANY system is a federal crime.

"...the government also mentioned that he switched IP addresses, spoofed his MAC address, and entered an MIT network closet. Conceivably, those actions could be construed as sufficient to establish "unauthorized access" even with Lofgren's bill on the books"

Conceivably? The guy walked into an network closet he wasn't supposed to be in and hooked his computer up to a server he wasn't supposed to have access too, to download something he was told he wasn't allowed to download. The only way this could have been a clearer example of "unauthorized access" is if he physically picked the locks on the network closet.

Do I think the government went a bit too far? Yes I do. Do I think he caused any lasting harm? No I don't. Do I think we should allow anyone to walk into any unlocked network closet, hook up their computer directly to the network, and then download massive amounts of data they feel should be free? No I don't.

The internet geeks need to calm down. They are so excited about Aaron when there are real problems in the world. If you want to do something for Aaron then improve the mental health treatment in this country. No amount of legislation is going to cure depression and end all suicides.

But other observers expressed doubts that Lofgren's proposal would have ruled out Swartz's prosecution. While Swartz's violation of JSTOR's terms of use was one factor mentioned in the federal indictment against him, the government also mentioned that he switched IP addresses, spoofed his MAC address, and entered an MIT network closet. Conceivably, those actions could be construed as sufficient to establish "unauthorized access" even with Lofgren's bill on the books.

Sorry but this is the very definition of 'unauthorized access.' THIS is the main reason the feds were even involved. They take hacking VERY seriously. If he didn't hack his way into MIT's system I seriously doubt the feds would have even looked at the case. How many copyright violation cases have federal courts heard? I mean cases where one person shared copyrighted material freely. Even if he were charged with charges related to trespassing or breaking and entering those wouldn't be federal charges. Those would have been handled at the local level.

Do I feel the feds went too far? No. All they did was show him how much prison time he COULD be facing. they always do this to scare defendants into cooperating with them in return for some charges going away, less time, and leniency. Did Aaron overreact a wee bit by ending his life instead of arguing his case in court like most people in his situation do? Yes he did.

“Had he been a journalist and taken that same material that he gained from MIT, he would have been praised for it. It would have been like the Pentagon Papers.”

Would a journalist be praised for redistributing millions of in-copyright academic papers? Probably not.

While I really think the prosecution was overzealous and the charges undeserved—and while network closet hacking isn't exactly something I'd endorse or let slide—I think this Congressman has no idea what he's talking about.

I am not sure but I thought the whole point of what he was doing was that they were actually public domain research papers. If thats the case, you REALLY can't call it stealing.

The internet geeks need to calm down. They are so excited about Aaron when there are real problems in the world. If you want to do something for Aaron then improve the mental health treatment in this country. No amount of legislation is going to cure depression and end all suicides.

And no amount of ignoring overzealous prosecution will end overzealous prosecution. (In other words: You're constructing a straw man.)

"...the government also mentioned that he switched IP addresses, spoofed his MAC address, and entered an MIT network closet. Conceivably, those actions could be construed as sufficient to establish "unauthorized access" even with Lofgren's bill on the books"

Conceivably? The guy walked into an network closet he wasn't supposed to be in and hooked his computer up to a server he wasn't supposed to have access too, to download something he was told he wasn't allowed to download. The only way this could have been a clearer example of "unauthorized access" is if he physically picked the locks on the network closet.

Do I think the government went a bit too far? Yes I do. Do I think he caused any lasting harm? No I don't. Do I think we should allow anyone to walk into any unlocked network closet, hook up their computer directly to the network, and then download massive amounts of data they feel should be free? No I don't.

Not quite. He walked into a network closet that was left unsecured and probably unlabelled. Our closets have no labels. He plugged his machine into a physical network and accessed a system (JSTOR) that he was perfectly allowed to use. Remember, he was a Harvard fellow. He was not gaining illegal access to JSTOR.

"he switched IP addresses, spoofed his MAC address, and entered an MIT network closet. Conceivably, those actions could be construed as sufficient to establish "unauthorized access" even with Lofgren's bill on the books."

The internet geeks need to calm down. They are so excited about Aaron when there are real problems in the world. If you want to do something for Aaron then improve the mental health treatment in this country. No amount of legislation is going to cure depression and end all suicides.

And no amount of ignoring overzealous prosecution will end overzealous prosecution. (In other words: You're constructing a straw man.)

Ending "overzealous prosecution" would not have saved Aaron's life. Nothing about the prosecution was overzealous. Overzealous prosecution would be the execution of Troy Davis based entirely on witness testimony. That's overzealous. Learn perspective and stop being a puppet to internet hype.

Either way, while this new wording is all well and good, the fact that he could even be charged for that long for that crime astounds me. And until that changes (to something sensible that might "fit the crime") it will still be a loss.

Lofgren's bill would modify the Computer Fraud and Abuse Act... to clarify that its definition of unauthorized access "does not include access in violation of an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer."

So, on what basis would unauthorized access be determined if these changes were made?

Not quite. He walked into a network closet that was left unsecured and probably unlabelled. Our closets have no labels. He plugged his machine into a physical network and accessed a system (JSTOR) that he was perfectly allowed to use. Remember, he was a Harvard fellow. He was not gaining illegal access to JSTOR.

He was gaining illegal access to the network by walking into a network closet and plugging his computer into a server. Just because a door doesn't explicitly say "Authorized Users Only" doesn't mean anyone is allowed to walk inside the room and do whatever they want with what was inside. Everything he did was designed to circumvent the restrictions placed upon him. That's pretty much the definition of gaining unauthorized access.

Either way, while this new wording is all well and good, the fact that he could even be charged for that long for that crime astounds me. And until that changes (to something sensible that might "fit the crime") it will still be a loss.

Why? He'd get the maximum if it was determined he was doing a bit more than just downloading papers. The media loves to tell us the maximum time someone COULD face w/o also indicating it's highly unlikely he' actually get anywhere near the maximum. the actual sentence is determined when they figure out if he was just some stupid kid hacking into a system or if he had malicious/nefarious intentions. He was likely going to do SOME time but most likely not the maximum.

Either way, while this new wording is all well and good, the fact that he could even be charged for that long for that crime astounds me. And until that changes (to something sensible that might "fit the crime") it will still be a loss.

ARS only reported the possible max. It's come out for a plea he would get 6-8months with a fine, if he didn't take that they were pushing for 7 years. Key word PUSHING meaning max the prosecution was hoping for. A judge could have given him a month. His new lawyer even said they were close to a deal with no jail time at all. Every crime has a crazy max for good reason. Because in this case the unauthorized access was pretty benign in the scheme of things but if someone did this in a hospital using some crazy hacking software and turned off the a/c or something like that they'd be brought up on many of the same charges but would be facing closer to the max.

Not quite. He walked into a network closet that was left unsecured and probably unlabelled. Our closets have no labels. He plugged his machine into a physical network and accessed a system (JSTOR) that he was perfectly allowed to use. Remember, he was a Harvard fellow. He was not gaining illegal access to JSTOR.

Then he should have gained it at Harvard, instead of at MIT, thereby getting repeatedly kicked off Harvard's network and causing Harvard's students to get blocked from JSTOR for days at a time. But, oh wait, he probably didn't want to compromise his Harvard Fellowship, which is probably why he bought a new computer and used a login pseudonym for his MIT shenanigans, so it couldn't be traced back to him

IMO, violation of a EULA should never be a felony. Shouldn't even be a misdemeanor, but simply the basis for civil action. I'm somewhat surprised to learn that's not currently the case.

Violation of a EULA/TOS isn't currently a felony, by itself. The EULA/TOS does determine authorization to access a network, however. Generally, by the terms of a EULA/TOS, if you violate it you are no longer authorized to access a network, and depending on what you do from there it could be a felony.

Again I see this whole thing as someone who was not as stressed out over a single situation as the media keeps claiming and that results like this Article and it's broader topic at hand played out for Aaron the martyr himself and force an issue that has taken decades to boil up.

Quote:

...the government also mentioned that he switched IP addresses, spoofed his MAC address, and entered an MIT network closet. Conceivably, those actions could be construed as sufficient to establish "unauthorized access" even with Lofgren's bill on the books....

There is no federal violation against changing the MAC or IP Addresses of a computer. Otherwise - anyone wearing a heavy coat a hat and sunglasses could be held for questioning every time they walked into a retail shop for fear that they might be there to rob the place. Tha's profiling - very weak but still profiling.

Additionally - a device might have multiple versions of both if they have both a wireless and a hardline connection option. Add to that Cellular connectivity and there generates a 3rd version of each. MAC Addresses are not device specific - but component specific to anything that fucntionally connects to a network. My printer has a MAC Address.

Either way, while this new wording is all well and good, the fact that he could even be charged for that long for that crime astounds me. And until that changes (to something sensible that might "fit the crime") it will still be a loss.

ARS only reported the possible max. It's come out for a plea he would get 6-8months with a fine, if he didn't take that they were pushing for 7 years. Key word PUSHING meaning max the prosecution was hoping for. A judge could have given him a month. His new lawyer even said they were close to a deal with no jail time at all. Every crime has a crazy max for good reason. Because in this case the unauthorized access was pretty benign in the scheme of things but if someone did this in a hospital using some crazy hacking software and turned off the a/c or something like that they'd be brought up on many of the same charges but would be facing closer to the max.

It sounds like MANY people here don't have a clue about how our legal system works. They don't bother checking to see if the crimes he was facing had any mandatory minimums or if it was completely up to the judge how much time he actually got, if any. The media these days don't bother giving you the full facts in stories like these. They shoot for sensationalism. and sadly it seems ARS did something like this too.

Yeah I knew man; they were stolen. You say a "fundamental misunderstanding of the law", but the difference is really the job title of the thief. Which was his point. Which he qualified first, positing the possibility he was mis-speaking, since they were two different things, obviously.

The thing is, he's on the right side of this issue, and you're going to run him down anyway, no matter how petty the criticism.

Timothy B. Lee / Timothy covers tech policy for Ars, with a particular focus on patent and copyright law, privacy, free speech, and open government. His writing has appeared in Slate, Reason, Wired, and the New York Times.